Discover and read the best of Twitter Threads about #dfiriss3xy
Most recents (1)
1\ #DFIR: How to investigate insider threats
Sharing the forensic methodology I follow when I'm investigating insiders 😍
This is where an employee sells creds/changes configs/runs malware leading to full DA compromise and then say they didn't do it O_o
inversecos.com/2022/10/how-to…
Sharing the forensic methodology I follow when I'm investigating insiders 😍
This is where an employee sells creds/changes configs/runs malware leading to full DA compromise and then say they didn't do it O_o
inversecos.com/2022/10/how-to…
2\ The questions that I use to guide the analysis and prioritisation of analysis are:
1. How was the device accessed around the suspected behaviour?
2. Where was the user/device when this occurred?
3. Was the insider active on their system?
4. What did the user do?
1. How was the device accessed around the suspected behaviour?
2. Where was the user/device when this occurred?
3. Was the insider active on their system?
4. What did the user do?
3\ To answer the first question, I look at SRUM, specifically the App Timeline Provider details.
I pull:
> Execution time of the malicious thingz
> Duration of execution
> User SID
Then, I cross correlate that user info with their corresponding ActivitiesCache.db. #DFIRISS3XY
I pull:
> Execution time of the malicious thingz
> Duration of execution
> User SID
Then, I cross correlate that user info with their corresponding ActivitiesCache.db. #DFIRISS3XY
